copied text ..
 Home    Blog    creating-ssl-certificate-secure-mqtt-communication

Generating SSL Certificates for Secure MQTT communication

by Ranjith Kumar DSM | Apr 12, 2017 | MQTT Broker, MQTT security, MQTTRoute | 0 comments


Generating SSL Certificates

SSL Certificates plays a major role in enabling the security. Hence, MQTT Broker provides an option to enable SSL / TLS mode of encrypted data transfer for enhanced MQTT Security or secure MQTT Communication. Works with all standard SSL/TLS Certificate or run with self signed certificate


SSL certificates are files that has digital data of encryption key to encrypt data for security. Hence, You can use the certificates to make sure the data encryption in the tunnel and cannot be tampered. There is a need of key for decoding the data at the other end.

Create Root Certificate

The following command creates the private key file.

openssl genrsa -out root.key 2048


To create a password protected key by adding -des3.

openssl genrsa -des3 -out root.key 2048


The above command will create a root.key In the current folder. our next step is to generate Certificate signing request file using above generated RSA private Key. Besides that, It contains encrypted personal details of the Host ie. country, state, organization, common Name, email address, and public key.

openssl req -new -x509 -key root.key -out root.crt


The above command will prompt for the following details.

Country Name :
State or Province Name :
Locality Name :
Organization Name :
Organizational Unit Name :
Common Name (e.g. server FQDN or YOUR name):
Email Address :
A challenge password :(optional)
An optional company name :(optional)


You can use the above two files to sign the certificate.

openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt

The above command creates the X509 based root certificate which is considered as CA Root Certificate The above command generated a root certificate root.crt which is valid for 365 days.

Creating a MQTT Server certificate

openssl genrsa -out server.key 2048


Create a Server csr file that holds the complete server details of the host. The following command will prompt for the company details.

openssl req -new -out server.csr -key server.key


Use the following command to create the Server certificate . Use the root certificate to create the server certificate.

openssl x509 -req -in server.csr -CA root.crt -CAkeyroot.key -CAcreateserial -out server.crt

Creating MQTT Client certificate

The above procedure followed for the server certificate can be used to create the client certificates. Please use appropriate name for the files.

The above certificates are also valid for 365 days. Same Certificate Authority is used for generating both the client and Server certificate.

Secure MQTT Communication in MQTT Broker

The root certificate, server certificate and server private key needs to be placed on the server side and the root certificate, client certificate and the client private key needs to be placed in the client side


We can either have a common client certificate or individual certificate for each client. You can issue a certificate to client using your own root.key and root.crt. MqttRoute / MQTT Server verify the common name and the client IP during the connection process. If both are same then only broker allows the client to connect otherwise reject the client’s connection request.


Follow the steps to run the MQTT Broker and the MQTT client in the MQTT Broker


  • Broker certificate and Key file MUST be present in ./Certificate/server folder.
  • Client certificate and Key file MUST be present in ./Certificate/client folder.
  • CA Certificate MUST present in ./Certificate/root folder
  • Broker and Client certificates MUST be signed by same CA

Download the makefile and follow the above procedure to secure MQTT communication in minutes.

Please make sure the necessary information is provided during the prompt.

MQTTRoute is designed to secure the data from the device to the enterprise system. Learn more about the data security for secure MQTT Communication.


Write to support for any assistance regarding MQTT Security. To get started sign up for hosted setup or download a forever free version for local installation.

Submit a Comment

Please take a moment to fill this form